Fortinet FortiSIEM v7

the fortinet fortisiem v7 connector enables seamless integration with swimlane turbine, providing automated actions for siem watchlist and event management fortinet fortisiem v7 is a comprehensive siem solution that provides advanced security analytics, compliance reporting, and threat detection this connector enables swimlane turbine users to integrate with fortisiem's robust monitoring and alerting capabilities, streamlining the management of watchlists, event queries, and organizational context retrieval by leveraging this integration, security teams can automate the enrichment of security events, enhance incident response, and maintain a proactive security posture within their extended detection and response ecosystem prerequisites before integrating fortinet fortisiem v7 with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the fortisiem v7 api username the username credential for api access password the password credential for api access capabilities this connector provides the following capabilities add watch list add watch list entry delete watch list by id delete watch list entry by id fetch incidents by filters get agent status by host get all watch lists get device information get devices get event query progress by id get incident by incident id get incidents by query id get list of monitored organizations get watch list by watch list entry id get watch list by watch list id and so on notes this connector was developed against product version 7 1 3 api documentation link https //fndn fortinet net/index php?/fortiapi/2627 fortisiem/3790/ configurations fortinet fortisiem v7 http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username the username is in the format of \<organizationname/username> string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add watch list creates a new watchlist with specified entries in fortisiem for enhanced monitoring endpoint url /phoenix/rest/watchlist/save method post output parameter type description reason string response reason phrase status code number http status code of the response response array output field response response id number unique identifier response naturalid string unique identifier response displayname string name of the resource response description string output field response description response valuepattern string value for the parameter response ageout string output field response ageout response topgroup boolean output field response topgroup response entries array output field response entries response entries id number unique identifier response entries firstseen number output field response entries firstseen response entries lastseen number output field response entries lastseen response entries expiredtime number time value response entries state string output field response entries state response entries naturalid string unique identifier response entries triggeringrules string output field response entries triggeringrules response entries entryvalue string value for the parameter response entries description string output field response entries description response entries ageout string output field response entries ageout response entries count number count value response entries datacreationtype number response data output example {"json body" {"response" \[{}]},"reason" "ok","response headers" {},"status code" 200} add watch list entry adds entries to a specified watchlist in fortisiem, enhancing monitoring and alerting capabilities endpoint url /phoenix/rest/watchlist/addto method post input argument name type required description parameters watchlistid number required this is the id field of a watchlist, that contains the watchlist where the posted entries should be added to input example {"parameters" {"watchlistid" 1},"json body" \[{"entryvalue" "myhost example com","firstseen" 1613601369215,"lastseen" 1613601369215,"expiredtime" 1613601369215,"state" "enabled","description" "description of entry","ageout" "1d","count" 10}]} output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value output example {"json body" {"response" "successfully added to watch list \[ids]","status" "success"},"reason" "ok","response headers" {},"status code" 200} delete watch list by id removes specified watchlists from fortisiem using their unique entry ids endpoint url /phoenix/rest/watchlist/delete method delete output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value output example {"json body" {"response" "deleted watch lists \[ids]","status" "success"},"reason" "ok","response headers" {},"status code" 200} delete watch list entry by id removes specified entries from a watchlist in fortisiem by using their unique ids endpoint url /phoenix/rest/watchlist/entry/delete method delete output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value output example {"json body" {"response" "deleted entries \[ids]","status" "success"},"reason" "ok","response headers" {},"status code" 200} fetch incidents by filters retrieve incidents by time or incidentid with specific filter options and fields endpoint url /phoenix/rest/pub/incident method post input argument name type required description filters object optional parameter for fetch incidents by filters filters incidentid array optional this is an array of integers representing specific incident id's to filter by filters incidentstatus array optional incident statuses 0 active incidents, 1 auto cleared incidents, 2 manually cleared incidents, 3 system cleared incidents filters eventseverity array optional possible values are from 1 10 to specify 1 4, provide an array such as \[1,2,3,4] filters eventseveritycat array optional possible values are low, medium, high to specify more than one, provide an array such as \["low","high"] filters phincidentcategory array optional possible values are from 1 5 1 = availability incidents, 2 = performance incidents, 3 = change incidents, 4 = security incidents, 5 = other incidents to specify more than one, supply an array such as \[3,4,5] (security, change, and other) filters phcustid array optional this filter accepts an array of organization id's filters customer array optional parameter for fetch incidents by filters filters incidentreso array optional this field allows you to filter by incident resolution status possible values are from 0 4 0 = none, 1 = open, 2 = truepositive, 3 = falsepositive, 4 = inprogress to specify more than one value, most fields accept an array such as \[0,1,2,3] timeto number optional the incident to time range in epoch milliseconds required if incidentid filter list is not specified timefrom number optional the incident from time range in epoch milliseconds required if incidentid filter list is not specified start number optional optional offset to start with, not needed if you are iterating using queryid and page numbers size number optional number of items to return per page of incidents orderby string optional set descending or ascending order of searched incidents using any datetime attribute such as incidentlastseen descending string optional specify if sort order is ascending or descending only needed if orderby set fields array optional array of all the incident fields you would liked to return input example {"json body" {"filters" {"incidentid" \[123456],"incidentstatus" \[0],"eventseverity" \[10],"eventseveritycat" \["high"],"phincidentcategory" \[4],"phcustid" \[2000],"customer" \["super"],"incidentreso" \[1]},"timeto" 1620684981736,"timefrom" 1620677781736,"start" 0,"size" 500,"orderby" "incidentlastseen","descending" "true","fields" \["eventtype"]}} output parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data data incidentid number response data data incidenttitle string response data data eventseverity number response data data incidentfirstseen number response data data incidentlastseen number response data data incidentreso number response data data incidentrptip string response data data incidentrptdevname string response data data incidentsrc string response data data incidenttarget string response data data count number response data data attacktechnique string response data data attacktactic string response data data phsubincidentcategory string response data data eventtype string response data data eventname string response data data phincidentcategory number response data data incidentclearedtime number response data data eventseveritycat string response data data incidentdetail string response data output example {"json body" {"total" 4,"pages" 2,"data" \[{}],"start" 0,"sizeperpage" 2,"queryid" "pub inc query 81 1684452618294"},"reason" "ok","response headers" {},"status code" 200} get agent status by host incident status of linux/windows agents endpoint url /phoenix/rest/agentstatus/all method get input argument name type required description parameters request string optional request query with the format request=orgid,hostname input example {"parameters" {"request" "1,linux"}} output parameter type description reason string response reason phrase status code number http status code of the response output example {"json body" {},"reason" "ok","response headers" {},"status code" 200} get all watch lists retrieves all watchlists and their entries from fortisiem for monitoring and analysis endpoint url /phoenix/rest/watchlist/all method get output parameter type description reason string response reason phrase status code number http status code of the response response array output field response response id number unique identifier response naturalid string unique identifier response displayname string name of the resource response description string output field response description response valuepattern string value for the parameter response ageout string output field response ageout response topgroup boolean output field response topgroup response entries array output field response entries response entries id number unique identifier response entries firstseen number output field response entries firstseen response entries lastseen number output field response entries lastseen response entries expiredtime number time value response entries state string output field response entries state response entries naturalid string unique identifier response entries triggeringrules string output field response entries triggeringrules response entries entryvalue string value for the parameter response entries description string output field response entries description response entries ageout string output field response entries ageout response entries count number count value response entries datacreationtype number response data output example {"json body" {"response" \[{}]},"reason" "ok","response headers" {},"status code" 200} get device information fetches the cmdb device info endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get input argument name type required description parameters organization string optional all devices in a particular org are fetched parameters includeips string optional all devices in a this address range are fetched parameters excludeips string optional all devices in a this address range are ignored parameters ip string optional full info about this particular device is fetched parameters loaddepend string optional can be set to true/false full info about this particular device is fetched parameters fields string optional a section of information (applications, interfaces, processors, storages) about one device is fetched input example {"parameters" {"organization" "test","includeips" "172 16 1 1","excludeips" "172 16 1 0","ip" "172 16 1 3","loaddepend" "false","fields" "applications"}} output parameter type description reason string response reason phrase status code number http status code of the response output example {"json body" {},"reason" "ok","response headers" {},"status code" 200} get devices retrieve list of devices with specific organization id and device ip/host name endpoint url /phoenix/rest/device/list method get input argument name type required description parameters orgid string required the organization id of the device parameters accessip string optional the ip address of the device parameters name string optional the name of the device input example {"parameters" {"orgid" "123","accessip" "127 0 0 1","name" "router"}} output parameter type description reason string response reason phrase status code number http status code of the response id number unique identifier orgid number unique identifier orgname string name of the resource hostname string name of the resource accessip string output field accessip devicetype string type of the resource output example {"json body" {"id" 111111,"orgid" 1,"orgname" "super","hostname" "fsm test 123456 0000","accessip" "172 16 1 1","devicetype" "redhat linux"},"reason" "ok","response headers" {},"status code" 200} get event query progress by id queries the progress of a previously submitted event query in fortisiem endpoint url /phoenix/rest/query/progress/{{queryid}} method get input argument name type required description path parameters queryid string required this is the requestid values retrieved from eventquery response headers object required http headers for the request headers accept string required http headers for the request input example {"path parameters" {"queryid" "123"},"headers" {"accept" "application/xml"}} output parameter type description reason string response reason phrase status code number http status code of the response output example {"json body" {},"reason" "ok","response headers" {},"status code" 200} get incident by incident id retrieve incidents by time or incidentid endpoint url /phoenix/rest/pub/incident method get input argument name type required description parameters status array optional optional list of incident status integer types to filter by active = 0, automatically cleared = 1, manually cleared = 2, system cleared = 3 to specify all, use status=\[0,1,2,3] parameters incidentid array optional array of incidents to query if this value is used, timeto and timefrom parameters are not needed parameters timefrom number optional the incident from time range in epoch milliseconds, this is not required if querying by incident id parameters timeto number optional the incident to time range in epoch milliseconds, this is not required if querying by incident id parameters size number optional this is an optional size parameter, the number of incidents to return per page of query results default is 500 input example {"parameters" {"status" \[0,1],"incidentid" \[22],"timefrom" 1683578670000,"timeto" 1684452600000,"size" 500}} output parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data data incidentid number response data data incidenttitle string response data data eventseverity number response data data incidentfirstseen number response data data incidentlastseen number response data data incidentreso number response data data incidentrptip string response data data incidentrptdevname string response data data incidentsrc string response data data incidenttarget string response data data count number response data data attacktechnique string response data data attacktactic string response data data phsubincidentcategory string response data data eventtype string response data data eventname string response data data phincidentcategory number response data data incidentclearedtime number response data data eventseveritycat string response data data incidentdetail string response data output example {"json body" {"total" 4,"pages" 2,"data" \[{}],"start" 0,"sizeperpage" 2,"queryid" "pub inc query 81 1684452618294"},"reason" "ok","response headers" {},"status code" 200} get incidents by query id retrieve incidents using specific query id and page number endpoint url /phoenix/rest/pub/incident/{{queryid}}/{{pagenumber}} method get input argument name type required description path parameters queryid string required this is the queryid returned in the response body from the action get incident by incident id path parameters pagenumber number required this param is the current page number to retrieve input example {"path parameters" {"queryid" "pub inc query 81 1684452618294","pagenumber" 1}} output parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data data incidentid number response data data incidenttitle string response data data eventseverity number response data data incidentfirstseen number response data data incidentlastseen number response data data incidentreso number response data data incidentrptip string response data data incidentrptdevname string response data data incidentsrc string response data data incidenttarget string response data data count number response data data attacktechnique string response data data attacktactic string response data data phsubincidentcategory string response data data eventtype string response data data eventname string response data data phincidentcategory number response data data incidentclearedtime number response data data eventseveritycat string response data data incidentdetail string response data output example {"json body" {"total" 4,"pages" 2,"data" \[{}],"start" 0,"sizeperpage" 2,"queryid" "pub inc query 81 1684452618294"},"reason" "ok","response headers" {},"status code" 200} get list of monitored organizations retrieve a list of organizations currently monitored by fortisiem endpoint url /phoenix/rest/config/domain method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request input example {"headers" {"accept" "application/xml"}} output parameter type description reason string response reason phrase status code number http status code of the response output example {"json body" {},"reason" "ok","response headers" {},"status code" 200} get watch list by watch list entry id retrieve a specific watchlist in fortisiem by providing the unique entryid endpoint url /phoenix/rest/watchlist/byentry/{{watchlistentryid}} method get input argument name type required description path parameters watchlistentryid string required this is the id field of an individual entry within a watchlist to search with input example {"path parameters" {"watchlistentryid" "1"}} output parameter type description reason string response reason phrase status code number http status code of the response response object output field response response id number unique identifier response naturalid string unique identifier response displayname string name of the resource response description string output field response description response valuepattern string value for the parameter response ageout string output field response ageout response topgroup boolean output field response topgroup response entries array output field response entries response entries id number unique identifier response entries firstseen number output field response entries firstseen response entries lastseen number output field response entries lastseen response entries expiredtime number time value response entries state string output field response entries state response entries naturalid string unique identifier response entries triggeringrules string output field response entries triggeringrules response entries entryvalue string value for the parameter response entries description string output field response entries description response entries ageout string output field response entries ageout response entries count number count value response entries datacreationtype number response data status string status value output example {"json body" {"response" {"id" 899753,"naturalid" "ph dynlist mail violator","displayname" "resource issues test wl grp4","description" "servers, network or storage devices","valuepattern" "testpattern","ageout" "1w","topgroup"\ false,"entries" \[]},"status" "success"},"reason" "ok","response headers" {},"status code" 200} get watch list by watch list id retrieve details of a specific watchlist in fortisiem by providing the watchlist id endpoint url /phoenix/rest/watchlist/{{watchlistid}} method get input argument name type required description path parameters watchlistid string required this is the incidentid to update input example {"path parameters" {"watchlistid" "1"}} output parameter type description reason string response reason phrase status code number http status code of the response response array output field response response id number unique identifier response naturalid string unique identifier response displayname string name of the resource response description string output field response description response valuepattern string value for the parameter response ageout string output field response ageout response topgroup boolean output field response topgroup response entries array output field response entries response entries id number unique identifier response entries firstseen number output field response entries firstseen response entries lastseen number output field response entries lastseen response entries expiredtime number time value response entries state string output field response entries state response entries naturalid string unique identifier response entries triggeringrules string output field response entries triggeringrules response entries entryvalue string value for the parameter response entries description string output field response entries description response entries ageout string output field response entries ageout response entries count number count value response entries datacreationtype number response data output example {"json body" {"response" \[{}]},"reason" "ok","response headers" {},"status code" 200} get watch list entry by watch list entry id retrieves a specific watchlist entry from fortisiem using the provided entry id endpoint url /phoenix/rest/watchlist/entry/{{watchlistentryid}} method get input argument name type required description path parameters watchlistentryid string required this is the id field of an individual entry within a watchlist to search with input example {"path parameters" {"watchlistentryid" "1"}} output parameter type description reason string response reason phrase status code number http status code of the response response object output field response response id number unique identifier response firstseen number output field response firstseen response lastseen number output field response lastseen response expiredtime number time value response state string output field response state response naturalid string unique identifier response triggeringrules string output field response triggeringrules response entryvalue string value for the parameter response description string output field response description response ageout string output field response ageout response count number count value response datacreationtype number response data status string status value output example {"json body" {"response" {"id" 1,"firstseen" 1613601369215,"lastseen" 1613601369215,"expiredtime" 1613601369215,"state" "enabled","naturalid" "10 65 20 240 1686877740000","triggeringrules" "sudden change in dns data transfer pattern from a specific host","entryvalue" "myhost example com","description" "description of entry","ageout" "1d","count" 10,"datacreationtype" 0},"status" "success"},"reason" "ok","response headers" {},"status code" 200} retrieve context by hostname retrieves the context information associated with a specified hostname in fortisiem endpoint url /phoenix/rest/context/hostname method get input argument name type required description parameters value string required the hostname to retrieve context input example {"parameters" {"value" "testdomain"}} output parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts contexts parameter string parameter for the retrieve context by hostname action contexts value string value for the parameter contexts hostname string name of the resource contexts devicetype string type of the resource contexts importance string output field contexts importance contexts externallookups object output field contexts externallookups contexts externallookups domain string output field contexts externallookups domain contexts externallookups fortiguardiocresult object result of the operation contexts externallookups fortiguardiocresult wf cate string result of the operation contexts externallookups fortiguardiocresult ioc tags string result of the operation contexts externallookups fortiguardiocresult verdict string result of the operation contexts externallookups fortiguardiocresult confidence string unique identifier contexts externallookups fortiguardiocresult av cate string result of the operation contexts externallookups fortiguardiocresult ioc cate string result of the operation contexts externallookups fortiguardiocresult spam cate string result of the operation output example {"json body" {"contexts" \[{}]},"reason" "ok","response headers" {},"status code" 200} retrieve context by ip retrieves the context information associated with a specified ip address from fortisiem endpoint url /phoenix/rest/context/ip method get input argument name type required description parameters value string required the ip address to retrieve context input example {"parameters" {"value" "1 1 1 1"}} output parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts contexts parameter string parameter for the retrieve context by ip action contexts value string value for the parameter contexts hostname string name of the resource contexts devicetype string type of the resource contexts importance string output field contexts importance contexts location object output field contexts location contexts location countrycode string output field contexts location countrycode contexts location countryname string name of the resource contexts location region string output field contexts location region contexts location city string output field contexts location city contexts location latitude number output field contexts location latitude contexts location longitude number output field contexts location longitude contexts devicecustomproperties array output field contexts devicecustomproperties contexts devicecustomproperties propertyname string name of the resource contexts devicecustomproperties propertyvalue string value for the parameter contexts identities array unique identifier contexts identities ipaddr string unique identifier contexts identities firstseentime string unique identifier contexts identities lastseentime string unique identifier contexts performanceinfo object output field contexts performanceinfo contexts performanceinfo cpuutil number output field contexts performanceinfo cpuutil contexts performanceinfo memutil number output field contexts performanceinfo memutil output example {"json body" {"contexts" \[{}]},"reason" "ok","response headers" {},"status code" 200} retrieve context by user retrieves the contextual data for a specified user within fortisiem, aiding in user centric analysis endpoint url /phoenix/rest/context/user method get input argument name type required description parameters value string required the name of the user to retrieve context input example {"parameters" {"value" "test"}} output parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts contexts parameter string parameter for the retrieve context by user action contexts value string value for the parameter contexts location object output field contexts location contexts location latitude number output field contexts location latitude contexts location longitude number output field contexts location longitude contexts userinfo object output field contexts userinfo contexts userinfo groups array output field contexts userinfo groups contexts topeventtypes array type of the resource contexts topeventtypes eventtype string type of the resource contexts topeventtypes eventname string name of the resource contexts topeventtypes count number type of the resource output example {"json body" {"contexts" \[{}]},"reason" "ok","response headers" {},"status code" 200} update incident update a single fortisiem incident endpoint url /phoenix/rest/pub/incident/update/{{incidentid}} method post input argument name type required description path parameters incidentid string required this is the incidentid to update incidentid number optional this is the unique incident id for this individual trigger of this incident incidenttitle string optional dynamic title of incident eventseverity number optional integer severity 1 10 (1 4 low, 5 8 medium, 9 10 high) incidentfirstseen number optional incident first seen time in epoch milliseconds incidentlastseen number optional incident last seen time in epoch milliseconds incidentreso number optional incident resolution integer value none = 0 open = 1 truepositive = 2 falsepositive = 3 inprogress = 4 incidentrptip string optional incident reporting ip log source of incident incidentrptdevname string optional this is the incident reporting device name the hostname of the log source of the incident incidentsrc string optional attributes identifying the source of the incident, defined as a comma separated list of pairs this is optional and depends on the incident incidenttarget string optional attributes identifying the target of the incident, defined as a comma separated list of pairs this is optional and depends on the incident count number optional incident count while the incident is active, this is the number of times the active incident has triggered for a distinct event window attacktechnique string optional the associated mitre attach technique id and technique name attacktactic string optional this is the mitre tactic associated with the incident phsubincidentcategory string optional incident subcategory, often synonymous with mitre tactic but can be other categories as well eventtype string optional this is a incident event type, a special unique identifier of the incident/rule, not to be confused with a raw event event type eventname string optional this is the incident name (display name), equivalent to the underlying rule name phincidentcategory number optional this is the integer incident category availability = 1, performance = 2, change = 3, security = 4 and other = 5 incidentclearedtime number optional incident cleared time in epoch milliseconds, if 0, it has never been cleared eventseveritycat string optional string representation of incident low,medium,high incidentdetail string optional incident detail metadata associated with the incident, defined as a comma separated list of pairs this is optional and depends on the incident incidentstatus number optional integer incident status integer types to filter by active = 0, automatically cleared = 1, manually cleared = 2 and system cleared = 3 customer string optional this is the fortisiem organization name for which the incident triggered phcustid number optional this is the fortisiem organization id incidentextuser string optional the user as defined in the external ticketing system input example {"json body" {"incidentid" 12,"incidenttitle" "","eventseverity" 9,"incidentfirstseen" 1683595260000,"incidentlastseen" 1684439940000,"incidentreso" 1,"incidentrptip" "192 168 1 25","incidentrptdevname" "lab1 example com","incidentsrc" "user\ administrator","incidenttarget" "hostname\ lab example com","count" 25,"attacktechnique" "\[{\\"name\\" \\"endpoint denial of service application or system exploitation\\", \\"techniqueid\\" \\"t1499 004\\"}]","attacktactic" "impact","phsubincidentcategory" "impact","eventtype" "ph rule high sev scanner","eventname" "scanner found severe vulnerability","phincidentcategory" 4,"incidentclearedtime" 0,"eventseveritycat" "medium","incidentdetail" "vulnname\ microsoft windows pragmatic general multicast (pgm) remote code execution vulnerability","incidentstatus" 0,"customer" "super","phcustid" 2000,"incidentextuser" "myuser","incidentextclearedtime" 1683595260000,"incidentextticketid" "12345","incidentextticketstate" "closed","incidentexttickettype" "incident"},"path parameters" {"incidentid" "12"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {},"reason" "ok","response text" "success"} update watch list entry updates a specified watchlist entry in fortisiem by providing the unique entry id endpoint url /phoenix/rest/watchlist/entry/save method put input argument name type required description id number optional the integer identifier a watchlist single entry, this is used to search for the watchlist entry and update it entryvalue string optional this is the new value of the watchlist entry to update input example {"json body" {"id" 889400,"entryvalue" "pvvol a001 a000356 power23"}} output parameter type description reason string response reason phrase status code number http status code of the response response object output field response response id number unique identifier response firstseen number output field response firstseen response lastseen number output field response lastseen response expiredtime number time value response state string output field response state response naturalid string unique identifier response triggeringrules string output field response triggeringrules response entryvalue string value for the parameter response description string output field response description response ageout string output field response ageout response count number count value response datacreationtype number response data status string status value output example {"json body" {"response" {"id" 1,"firstseen" 1613601369215,"lastseen" 1613601369215,"expiredtime" 1613601369215,"state" "enabled","naturalid" "10 65 20 240 1686877740000","triggeringrules" "sudden change in dns data transfer pattern from a specific host","entryvalue" "myhost example com","description" "description of entry","ageout" "1d","count" 10,"datacreationtype" 0},"status" "success"},"reason" "ok","response headers" {},"status code" 200} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt